From 32444fe8aef4d6076e8190960247b91408d9a3c8 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 31 Jan 2021 16:37:58 +0100
Subject: [PATCH] services: add nginx and acme auto-configuration

This ensures that the recommened settings are turned on when using Nginx
in any service. It also provides for a SSL certificate using Let's
Encrypt.
---
 configuration.nix    | 10 ++--------
 services/default.nix |  7 +++++++
 services/nginx.nix   | 42 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 51 insertions(+), 8 deletions(-)
 create mode 100644 services/default.nix
 create mode 100644 services/nginx.nix

diff --git a/configuration.nix b/configuration.nix
index 4032e07..b7a7473 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -9,6 +9,8 @@
     [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
+      # Include my services
+      ./services
     ];
 
   # Use the GRUB 2 boot loader.
@@ -73,19 +75,11 @@
 
   programs.mosh.enable = true; # Opens the relevant UDP ports.
 
-  # List services that you want to enable:
-
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
   services.openssh.permitRootLogin = "no";
   services.openssh.passwordAuthentication = false;
 
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
diff --git a/services/default.nix b/services/default.nix
new file mode 100644
index 0000000..4194069
--- /dev/null
+++ b/services/default.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  imports = [
+    ./nginx.nix
+  ];
+}
diff --git a/services/nginx.nix b/services/nginx.nix
new file mode 100644
index 0000000..48ca7ec
--- /dev/null
+++ b/services/nginx.nix
@@ -0,0 +1,42 @@
+# Configuration shamelessly stolen from [1]
+#
+# [1]: https://github.com/delroth/infra.delroth.net/blob/master/common/nginx.nix
+{ config, lib, ... }:
+
+{
+  # Whenever something defines an nginx vhost, ensure that nginx defaults are
+  # properly set.
+  config = lib.mkIf ((builtins.attrNames config.services.nginx.virtualHosts) != [ ]) {
+    services.nginx = {
+      enable = true;
+      statusPage = true; # For monitoring scraping.
+
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      recommendedProxySettings = true;
+    };
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    # Nginx needs to be able to read the certificates
+    users.users.nginx.extraGroups = [ "acme" ];
+
+    # Use DNS wildcard certificate
+    security.acme = {
+      email = "bruno.acme@belanyi.fr";
+      acceptTerms = true;
+      certs =
+        let
+          domain = config.networking.domain;
+        in
+        {
+          "${domain}" = {
+            extraDomainNames = [ "*.${domain}" ];
+            dnsProvider = "gandiv5";
+            credentialsFile = ../secrets/acme/key.env;
+          };
+        };
+    };
+  };
+}